Bug 100568 - Read overflow in test/corrupt.c
Summary: Read overflow in test/corrupt.c
Status: RESOLVED FIXED
Alias: None
Product: dbus
Classification: Unclassified
Component: core (show other bugs)
Version: 1.10
Hardware: x86-64 (AMD64) Linux (All)
: medium minor
Assignee: D-Bus Maintainers
QA Contact: D-Bus Maintainers
URL:
Whiteboard: review+
Keywords: patch
Depends on:
Blocks:
 
Reported: 2017-04-04 20:11 UTC by Yury Gribov
Modified: 2017-04-07 10:29 UTC (History)
1 user (show)

See Also:
i915 platform:
i915 features:


Attachments
test: Fix reading off the end of an array in test-corrupt (1.25 KB, patch)
2017-04-05 10:36 UTC, Philip Withnall
Details | Splinter Review
test: Fix a couple of memory leaks in test-corrupt (1.60 KB, patch)
2017-04-05 10:36 UTC, Philip Withnall
Details | Splinter Review

Note You need to log in before you can comment on or make changes to this bug.
Description Yury Gribov 2017-04-04 20:11:41 UTC
There's a harmless read overflow in test_byte_order in test/corrupt.c:

  const gchar *arg = not_a_dbus_message;
  const gchar * const *args = &arg;
  ...
  /* Append 0xFF bytes, so that the length of the body when byte-swapped
   * is 0xFF000000, which is invalid */
  mem = dbus_message_append_args (message,
      DBUS_TYPE_ARRAY, DBUS_TYPE_BYTE, &args, 0xFF,
      DBUS_TYPE_INVALID);

reads 255 bytes from memory addressed by 'args', even though it's only valid to read 8 (== sizeof(arg)).

This has been found with Asan when building dbus via debian_pkg_test (https://github.com/yugr/debian_pkg_test). The bug was found in 1.10.6 but I see the offending code is the same in master.

Asan's report is

==17105==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe89540648 at pc 0x7fcfce851ab3 bp 0x7ffe89540020 sp 0x7ffe8953f7c8
READ of size 255 at 0x7ffe89540648 thread T0
    #0 0x7fcfce851ab2 in memmove (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x64ab2)
    #1 0x7fcfce330c54 in copy ../../dbus/dbus-string.c:1219
    #2 0x7fcfce328080 in marshal_1_octets_array ../../dbus/dbus-marshal-basic.c:868
    #3 0x7fcfce328080 in _dbus_marshal_write_fixed_multi ../../dbus/dbus-marshal-basic.c:1041
    #4 0x7fcfce2d9dca in _dbus_type_writer_write_fixed_multi ../../dbus/dbus-marshal-recursive.c:2379
    #5 0x7fcfce2e594f in dbus_message_append_args_valist ../../dbus/dbus-message.c:1874
    #6 0x7fcfce2e6182 in dbus_message_append_args ../../dbus/dbus-message.c:1802
    #7 0x557893fb4ddf in test_byte_order ../../test/corrupt.c:285
    #8 0x7fcfcd9da7da  (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x6f7da)
    #9 0x7fcfcd9da9a2  (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x6f9a2)
    #10 0x7fcfcd9da9a2  (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x6f9a2)
    #11 0x7fcfcd9dabad in g_test_run_suite (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x6fbad)
    #12 0x7fcfcd9dabd0 in g_test_run (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x6fbd0)
    #13 0x557893fb3cd7 in main ../../test/corrupt.c:395
    #14 0x7fcfcd5c282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #15 0x557893fb3dd8 in _start (/build/dbus-1.10.6/build-debug/test/.libs/lt-test-corrupt+0x7dd8)

Address 0x7ffe89540648 is located in stack of thread T0 at offset 296 in frame
    #0 0x557893fb4c8f in test_byte_order ../../test/corrupt.c:268
    
  This frame has 6 object(s):
    [32, 36) 'fd'
    [96, 100) 'blob_len'
    [160, 168) 'gerror'
    [224, 232) 'blob' 
    [288, 296) 'arg'
    [352, 360) 'args' <== Memory access at offset 296 partially underflows this variable
Comment 1 Philip Withnall 2017-04-05 10:36:41 UTC
Created attachment 130686 [details] [review]
test: Fix reading off the end of an array in test-corrupt

One level of pointer indirection too many when passing the arguments to
dbus_message_append_args().

https://bugs.freedesktop.org/show_bug.cgi?id=100568

Signed-off-by: Philip Withnall <withnall@endlessm.com>
Comment 2 Philip Withnall 2017-04-05 10:36:44 UTC
Created attachment 130687 [details] [review]
test: Fix a couple of memory leaks in test-corrupt

Spotted while testing bug #100568.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
Comment 3 Simon McVittie 2017-04-05 10:49:04 UTC
Patches look good, thanks.
Comment 4 Simon McVittie 2017-04-07 10:29:50 UTC
Fixed in 1.10.18, and in git master for 1.11.12.


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.